18 replies

policies filtering expr(id == ^actor(:something_id))

✅Solved🔒Policies

In our application we have the concept of API Keys that are created to access one specific resource.

so, in

ApiKey

ApiKey

, we have

belongs_to :application, App.Application

belongs_to :application, App.Application

Now in

Application

Application

, I'd like to set the policy that an ApiKey can only access its own application.

This is the entire policy code:

  policies do
    bypass actor_attribute_equals(:role, :admin) do
      authorize_if always()
    end
    policy action_type(:read) do
      authorize_if expr(id == ^actor(:application_id))
    end
    policy action(:update) do
      authorize_if expr(id == ^actor(:application_id))
    end
  end

  policies do
    bypass actor_attribute_equals(:role, :admin) do
      authorize_if always()
    end
    policy action_type(:read) do
      authorize_if expr(id == ^actor(:application_id))
    end
    policy action(:update) do
      authorize_if expr(id == ^actor(:application_id))
    end
  end

the bypass up top is for when an

Account

Account

accesses this resource, admins should be allowed to do anything.

Now for what I'd expect this to do:

allow read and update actions on the application with the id set in the api key
disallow anything else if accessed by API key

however, my unit test fails at the line with the

refute

refute

statement:

  test "api key can access its application" do
    app_1_id = Ecto.UUID.generate()
    app_2_id = Ecto.UUID.generate()

    key = %ApiKey{application_id: app_1_id}

    assert can_get_application_by_id?(key, app_1_id, log?: true)

    refute can_get_application_by_id?(key, app_2_id, log?: true)
  end

  test "api key can access its application" do
    app_1_id = Ecto.UUID.generate()
    app_2_id = Ecto.UUID.generate()

    key = %ApiKey{application_id: app_1_id}

    assert can_get_application_by_id?(key, app_1_id, log?: true)

    refute can_get_application_by_id?(key, app_2_id, log?: true)
  end

Ash Framework•2mo ago•

18 replies

narrowtux

policies filtering expr(id == ^actor(:something_id))

✅Solved🔒Policies

In our application we have the concept of API Keys that are created to access one specific resource.

so, in

ApiKey

ApiKey

, we have

belongs_to :application, App.Application

belongs_to :application, App.Application

Now in

Application

Application

, I'd like to set the policy that an ApiKey can only access its own application.

This is the entire policy code:

  policies do
    bypass actor_attribute_equals(:role, :admin) do
      authorize_if always()
    end
    policy action_type(:read) do
      authorize_if expr(id == ^actor(:application_id))
    end
    policy action(:update) do
      authorize_if expr(id == ^actor(:application_id))
    end
  end

  policies do
    bypass actor_attribute_equals(:role, :admin) do
      authorize_if always()
    end
    policy action_type(:read) do
      authorize_if expr(id == ^actor(:application_id))
    end
    policy action(:update) do
      authorize_if expr(id == ^actor(:application_id))
    end
  end

the bypass up top is for when an

Account

Account

refute

refute

statement:

  test "api key can access its application" do
    app_1_id = Ecto.UUID.generate()
    app_2_id = Ecto.UUID.generate()

    key = %ApiKey{application_id: app_1_id}

    assert can_get_application_by_id?(key, app_1_id, log?: true)

    refute can_get_application_by_id?(key, app_2_id, log?: true)
  end

  test "api key can access its application" do
    app_1_id = Ecto.UUID.generate()
    app_2_id = Ecto.UUID.generate()

    key = %ApiKey{application_id: app_1_id}

    assert can_get_application_by_id?(key, app_1_id, log?: true)

    refute can_get_application_by_id?(key, app_2_id, log?: true)
  end

policies filtering expr(id == ^actor(:something_id))

Similar Threads

policies filtering expr(id == ^actor(:something_id))

Similar Threads

Similar Threads

Similar Threads